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QUESTION 41 

Refer to the exhibit. 
*** Exhibit is Missing *** 

This Cisco IOS access list has been configured on the FAO/0 interface in the inbound direction. 
Which four TCP packets sourced from 10.1.1.1 port 1030 and routed to the FAO/0 interface are 
permitted? (Choose four.) 



A. destination ip address: 192.168.15.37 destination port: 22 

B. destination ip address: 192.168.15.80 destination port: 23 

C. destination ip address: 192.168.15.66 destination port: 8080 

D. destination ip address: 192.168.15.36 destination port: 80 

E. destination ip address: 192.168.15.63 destination port: 80 

F. destination ip address: 192.168.15.40 destination port: 21 



Answer: BCDE 



QUESTION 42 

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature 
be in before any actions can be taken when an attack matches that signature? 



A. enabled 

B. un retired 

C. successfully complied 

D. successfully complied and unretired 

E. successfully complied and enabled 

F. unretired and enabled 

G. enabled, unretired, and successfully complied 



Answer: G 



QUESTION 43 

Which statement describes how the sender of the message is verified when asymmetric 
encryption is used? 

A. The sender encrypts the message using the sender's public key, and the receiver decrypts the message 
using the sender's private key. 

B. The sender encrypts the message using the sender's private key, and the receiver decrypts the message 
using the sender's public key. 

C. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message 
using the receiver's private key. 

D. The sender encrypts the message using the receiver's private key, and the receiver decrypts the message 
using the receiver's public key. 

E. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message 
using the sender's public key. 

Answer: B 

QUESTION 44 

Refer to the exhibit. 
***Exhibit is Missing*** 

Which three statements about these three show outputs are true? (Choose three.) 

Get Latest & Actual 640-554 Exam's Question and Answers from PassLeader. 
Click Here — http://www.passleader.com/640-554.html 



SI PassLeader 

Leader of IT Certifications 



Implementing Cisco IOS Network Security (IINS v2.0) (640-554) 

A. Traffic matched by ACL 1 1 0 is encrypted. 

B. The IPsec transform set uses SHA for data confidentiality. 

C. The crypto map shown is for an IPsec site-to-site VPN tunnel. 

D. The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer. 

E. The IPsec transform set specifies the use of GRE over IPsec tunnel mode. 

F. The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2 
Answer: ACD 

QUESTION 45 

Which type of security control is defense in depth? 

A. threat mitigation 

B. risk analysis 

C. botnet mitigation 

D. overt and covert channels 

Answer: A 
QUESTION 46 

Which two options are two of the built-in features of IPv6? (Choose two.) 

A. VLSM 

B. native IPsec 

C. controlled broadcasts 

D. mobile IP 

E. NAT 

Answer: BD 
QUESTION 47 

Which option is a characteristic of the RADIUS protocol? 

A. uses TCP 

B. offers multiprotocol support 

C. combines authentication and authorization in one process 

D. supports bi-directional challenge 

Answer: C 

QUESTION 48 

Refer to the exhibit. 
***Exhibit is Missing*** 

Which statement about this debug output is true? 

A. The requesting authentication request came from username GETUSER. 

B. The TACACS+ authentication request came from a valid user. 

C. The TACACS+ authentication request passed, but for some reason the user's connection was closed 
immediately. 
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D. The initiating connection request was being spoofed by a different source address. 

Answer: B 
QUESTION 49 

When STP mitigation features are configured, where should the root guard feature be deployed? 

A. toward ports that connect to switches that should not be the root bridge 

B. on all switch ports 

C. toward user-facing ports 

D. Root guard should be configured globally on the switch. 
Answer: A 

QUESTION 50 

Which option is a characteristic of a stateful firewall? 

A. can analyze traffic at the application layer 

B. allows modification of security rule sets in real time to allow return traffic 

C. will allow outbound communication, but return traffic must be explicitly permitted 

D. supports user authentication 

Answer: B 
QUESTION 51 

Which type of NAT would you configure if a host on the external network required access to an 
internal host? 

A. outside global NAT 

B. NAT overload 

C. dynamic outside NAT 

D. static NAT 

Answer: D 
QUESTION 52 



Drag and Drop Questions 


1 Dmglh* IPS detection approaches from tne let! and drop (hem on the correct IPS detection technology categories on me right 


detect* attacks bated on known attack fingerprint*. 




policy based 


;j detect unexpected traffic spikes 




anomaly based 


| onty allows HTTPS Heme to the web serve* 




signature- based 


1 delects events based on correlations wttn a ptacktisl downloaded 

from a dvnamK^iry updated database 




reputation-based 
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QUESTION 53 

Drag and Drop Questions 
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QUESTION 55 

Drag and Drop Questions 

Match the descriptions on the left with the IKE phases on the right. 
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Match the descriptions on the left with the IKE phases on the right. 



Perform a Diffie-Hellrnan exchange 



Establish IPsec SAs 



Negotiate IPsec security policies 



Negotiate IKE policy sets and authenticate peers 



Perform an optional Diffie-Hellman exchange 



Answer: 



IKE Phase 1 



IKE Phase 2 



Match the descriptions on the left with the IKE phases on the right. 



rm a Diffie-Hellman exchange 



Establish IPsec SAs 



Negotiate IPsec security policies 



Negotiate IKE policy sets and authenticate peers 



— 1 




0)© 



Perform an optional Diffie-Hellman exchange 



QUESTION 56 

Drag and Drop Questions 
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IKE Phase 2 



Negotiate IPsec security policies 
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QUESTION 57 

Drag and Drop Questions 
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Drag and Drop Questions 
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lfte left and drop them on the correct protocol! on me right Not all the option* on the letters 
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Lab Simulation 
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You are the network security administrator for Big Money Bank Co . You are informed that an attacker has performed 
a CAM table overflow attack by sending spoofed MAC addresses on one of the switch ports. The attacker has since 
been identified and escorted out of the campus. You now need to take action to configure the switch port to protect 
against this kind of attack in the future. 

For purposes of this test, the attacker was connected via a hub to the FaO/12 interface of the switch. The topology is 
provided for your use. The enable password of the switch is cisco. Your task is to configure the Fa0/1 2 interface on 
the switch to limit the maximum number of MAC addresses that are allowed to access the port to two and to 
shutdown the interface when there is a violation. 

Enable password; cisco 




scroll this window 
and the problem 
statement window 
to view the entire 
problem. 



Management 




vlan 1 
fa0/12 



Server A 



PC 



To configure the 
switch, click on a 
host icon that is 
connected to a 
switch by a serial 
console cable 
(shown in the 
diagram as a 
curved dashed 
line). 

The "Tab" key 



(CAM Table Overflow Attack) 





MAC aaaa.bbbb.1111 
MAC aaaa.bbbb.2222 
MAC aaaa.bbbb.333i 
etc ,— ci 



a. 



\ 



Attacker 
PC 



UseH 
PC 



User2 
PC 
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-Sishow run 
Building configuration-- 
Current configuration 

version i2.1 
no service pad 

Service time a tamps debug uptime 
Service timestamps Log uptime 
No service password-encryption 
; 

Hostname -S 

! 

! 

Enable secret S $l$0/yw&toqA0XRiCtY&gh?pM06fS0 

Ip subnet- zero 

Ip ssh time-out 12 0 

Ip ssh authentication-retries 3 

i 

Spanning- tree mode pvst 

Ho spanning-tree optimize bpdu transmission 
Spanning- tree extend system-id 



Interface FastEthernetO/ 22 

interface FastEthernetO/2 3 
i 

interface FastEthernetO/24 
switchport mode trunk 

interface Gigabi tE the r ne 1 0 / 1 



Interface Gigabi tEthernet0/2 
! 

Interface vlanl 
ip address 172.26.26.202 255.255.255.0 
no ip route- cache 

Ip http server 



@Q0 



Line con 0 
Line au* 0 



Line vty 5 15 

password Cisco 
Login 



End 



wers from PassLeader. 
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Answer: 

Switchl>enable 
Switchl#conf ig t 

Switchl (conf ig) ftinterf ace faO/12 

Switchl (conf ig-if ) #switchport mode access 

Switchl (conf ig-if ) #switchport port-security maximum 2 

Switchl (conf ig-if ) #switchport port-security violation shutdown 

Switchl (conf ig-if ) #no shut 

Switchl (conf ig-if ) #end 

Switchl#copy run start 

QUESTION 60 

Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) 

A. spam protection 

B. outbreak intelligence 

C. HTTP and HTTPS scanning 

D. email encryption 

E. DDoS protection 

Answer: AD 
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